The FBI used a non-public vulnerability to hack suspects on Tor

When the FBI hacked thousands of computers related to a child porn investigation in 2015, the agency took advantage of a “non-publicly-known vulnerability,” according to a judge in a related case.

The news highlights the ongoing trend of the FBI leveraging security issues in software and devices, especially as criminal suspects turn to anonymization technology such as Tor, or use consumer products that have encryption features baked into them.

In this case, the vulnerability may not have been a so-called zero-day — that is, one that is unknown to the manufacturer or developer of the target product—which would bring up contentious issues of the FBI’s responsibility to disclose it to affected parties. But the judge’s comments are the most detail yet on what sort of vulnerability the FBI took advantage of to hack some 8,700 computers in 120 countries. In February 2015, the FBI seized dark web child pornography site Playpen, and used what the agency calls a network investigative technique (NIT) — a piece of malware — to break into suspected visitor's computers and learn their real IP address.

“With the user's true IP address came the FBI's ability to determine the actual identity and location of the suspected Playpen user,” Timothy L. Brooks, United States district judge, wrote in a court filing earlier this month. “The FBI's NIT was able to do all this by first exploiting a defective window, i.e., a non-publicly-known vulnerability,” Brooks added. In this analogy, the vulnerability used to bypass the suspect’s browser protections is the defect in a window’s lock; the FBI then used an exploit, say, a lock-pick or another tool, to take advantage of that and break in.

“The judge’s description does suggest the FBI’s exploit uses a zero-day vulnerability,” Denelle Dixon-Thayer, chief legal and business officer of Mozilla, told Motherboard in an email. The Tor Browser, which many Playpen visitors would have used, is based on Mozilla’s Firefox; they share much of the same code. In May, Mozilla asked the FBI to reveal the vulnerability used in the Playpen hacking campaign. This was so the non-profit could fix the issue if it applied to Firefox, and protect its hundreds of millions of users.

“Governments and technology companies both have a role to play in ensuring people’s security online. Disclosing vulnerabilities to technology companies first, allows us to do our job to prevent users from being harmed and to make the Web more secure,” Dixon-Thayer wrote in a blog post at the time. The FBI using a zero-day would thus be notable as it would mean the bureau used an exploit in investigations while leaving regular users vulnerable.

The FBI does take advantage of zero-days. Amy Hess, the former head of one of the agency's hacking units, the Operational Technology Division, told in a December 2015 interview. But to be clear, the judge's comments do not state, with any certainty, whether the FBI did use a zero-day vulnerability in this instance.

“0day is an inadequate term to describe the vast spectrum of potential states in which software security issues can exist,” Dan Guido, the founder of cybersecurity firm Trail of Bits, told Motherboard in an email. Another way of reading it is that the vulnerability is a bug that was patched upstream by Mozilla, or in a software library they use, but the fix was not available in a version released to the public.

“The other option is that it is something that is fixed, but not known to be security relevant, or not known to apply to the Tor Browser,” Dave Aitel, a former NSA security researcher and now founder of cybersecurity company Immunity, told Motherboard in an email. The Tor Project declined to comment for this article.

The FBI and Department of Justice have refused to hand over the exploit code to defense teams, even when ordered by judges to do so, preferring to lose convictions then have to disclose their investigative techniques in detail. Judge Brooks’ filing was in the case of Anthony Allen Jean, whose lawyers are arguing that they need a copy of the exploit to properly defend their client. The judge, however, has sided with the FBI.

“Mere knowledge of the particular vulnerability exploited here could potentially lead the expert to later build his own exploit, or assist others in doing so, thereby effectively circumventing a protective order,” Judge Brooks wrote. According to court filings, 100,000 people logged into Playpen over the 13 days the FBI controlled it. The FBI, however, obtained around 8,700 IP addresses with its malware during that time, according to a court transcript.

Regardless, the Playpen operation is another entry in the FBI's growing list of using vulnerabilities to circumvent protections awarded to users. Earlier this year, the FBI paid for a technique to unlock an iPhone 5C used by Syed Farook, one of the deceased perpetrators behind the San Bernardino terrorist attack. The FBI did not respond to a request for comment.